Position Brief: Access to Services (NetID Lifecycle)
Approved by Executive Tier on November 1, 2012
ICIT provides Net-ID-based authentication to a number of campus services including email, file storage, student and employee records systems, and others. Some of these systems are provided as campus-wide services to enhance productivity and learning, while others are specific business systems that meet the operational needs of departments on campus.
These systems fall into two main classes:
Requirements and Issues for Access to Services
ICIT and the campus are challenged with providing appropriate and timely access to services when users are authorized, as well as ensuring that access is removed when no longer needed. In order to provide a framework for designing access control systems that meet this need, we suggest that the three system classifications defined above serve as a basis for determining how and when users will be granted access to services as well as when that access will be removed.
ICIT will provide access (or will work with campus departments to ensure that access is provided) according to the following schedule for students:
|Type of System||Applies||Enrolls||Is no longer enrolled||Graduates|
|Enterprise Communication and Collaboration System||No access||Access granted||Retained for 180 days||Retained for 180 days|
|Campus Business System||Access granted||Access retained||Access retained||Access retained|
Access is granted to students to maintain their own information in WINS, and is retained after graduation or active enrollment for ongoing access to the student's own information. ICIT will provide access (or will work with campus departments to ensure that access is provided) according to the following schedule for employees:
|Type of System||Is Hired||Changes Jobs||Ceases Employment||Retires|
|Enterprise Communication and Collaboration System||Access granted||Access retained||Retained for 14 days||Access retained*|
|Campus Business System||Access granted||Access reviewed**||Access removed||Access removed|
*Access for retirees will be maintained to the extent that cost and software licensing allow.
**Review process may require an additional request by employee or supervisor to retain access in new role
ICIT provides an expedited process for disabling access for employees in situations that require an immediate suspension of access to electronic systems. To initiate this process, contact the TSC Helpdesk at 472-4357 or firstname.lastname@example.org.
Retention / Review of Business Records
In order to facilitate an appropriate transition of business records during a staff member's departure, iCIT can make a copy of a departing employee's email and network file storage available to the employee's supervisor. This is done only upon request, and must be requested within 7 days of the employee's end date and requires approval of Provost (or designee) in the case of faculty or Vice Chancellor of Administrative Affairs (or designee) in the case of all other staff.
Notification regarding loss of access
ICIT will provide automated notice to students, faculty, and staff via email prior to removing access to campus-wide or enterprise communication services. It will be the responsibility of individual campus business system owners and supervisors to communicate access status for these employees. Where this access is manually granted/revoked, it will be the responsibility of the unit maintaining access to remove access as appropriate.
APPENDIX 1 - PROCESS FOR DISABLING EMPLOYEE EMAIL
1. When an employee's appointment record is updated with an end date, a hold will be placed on the account to prevent deletion of email items. Items that are deleted will be placed in a 'hold' status and will not be purged from the system.
2. On the employee's end date, a copy of the employee's mailbox will be preserved and an automatic reply will be placed on the account. A mailbox copy can be provided to the employee's supervisor on request and with appropriate approval, and an alternate wording for the default automatic reply can be provided by the employee's supervisor.
3. Employee will be provided with access to mailbox for 14 days after the employee's appointment end date.
4. After 14 days, a final copy of the mailbox will be archived and the account will be removed from the email system. This copy will also be provided to supervisor provided approval has been granted previously.
Operational Policies define ICIT's services, expectations, and role as part of the campus community.